Dotdeb » PHP

Security update : PHP 5.3.10

Guillaume Plessis — Fri, 03 Feb 2012 01:25:52 +0000

A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9′s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible.

Packages of PHP 5.3.10 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.
Those for Debian 5.0 “Lenny” (certainly the last ones before the end of its security support on Feb 6th) are coming in a few hours.

Advisory : buffer overflow in php5-suhosin

Guillaume Plessis — Tue, 24 Jan 2012 15:02:26 +0000

A few days ago, Stefan Esser discovered a buffer overflow in the “transparent cookie encryption stack” of the Suhosin extension. Here is the full advisory.

If you previously installed the php5-suhosin package, you should upgrade to its fixed new version (0.9.33) by running :

apt-get update
apt-get install --reinstall php5-suhosin

PHP 5.3.9

Guillaume Plessis — Thu, 12 Jan 2012 17:50:15 +0000

On january 10th 2012, the PHP group has released PHP 5.3.9, that brings over 90 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.9:

Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)

Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).

Fixed bug #55609 (mysqlnd cannot be built shared)

Many changes to the FPM SAPI module

PHP 5.3.9 is now available on Dotdeb for :

both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
both amd64 and i386 architectures

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

[edit] the packages have been updated to fix some Suhosin- and strtotime()-related issues. You really should upgrade at least :

to 5.3.9-0~dotdeb.3 if you’re running Squeeze
to 5.3.9-0~dotdeb.2 if you’re running Lenny

PHP 5.3.8 is available

Guillaume Plessis — Tue, 30 Aug 2011 14:03:23 +0000

On August 18th, the PHP Group released PHP 5.3.7 with many security enhancements and many bugfixes. Sadly, it suffered from an issue with the crypt() function , forcing the PHP Group to publish PHP 5.3.8 (that fixes a mysqlnd issue with SSL connections too).

I’m glad too announce that PHP 5.3.8 packages are now available on Dotdeb for both amd64 and i386 architectures :

for Debian 6.0 Squeeze : on the main Dotdeb repository
for Debian 5.0 “Lenny” : on php53.dotdeb.org

Ugrading to PHP 5.3.8 is strongly recommended, but please read the Changelog before.

PHP 5.3.6 is available

Guillaume Plessis — Sat, 09 Apr 2011 16:07:34 +0000

On March 17th, the PHP Group released PHP 5.3.6. This maintainance release, that focuses on security, is now available on Dotdeb for Debian 6.0 “Squeeze” in amd64 and i386 flavours.

The compatibility with the official Debian packages has been improved and you (especially the FPM users) should really take care of some important changes that I made :

the intl extension is now built in a separate package : php5-intl
the FPM binary is now /usr/sbin/php5-fpm (previously /usr/bin/php5-fpm)
the FPM configuration file is now /etc/php5/fpm/php-fpm.conf (previously /etc/php5/fpm/php5-fpm.conf)
the FPM pools have to be moved to /etc/php5/fpm/pool.d/ (previously /etc/php5/fpm/pools/)

As usual, please read the Changelog before upgrading.

Note : The PHP 5.3.6 packages for Debian 5.0 “Lenny” should be released soon.
Update : the PHP 5.3.6 packages for Debian 5.0 “Lenny” are now available on http://php53.dotdeb.org/

Let’s monitor your PHP applications with Pinba

Guillaume Plessis — Mon, 31 Jan 2011 09:20:23 +0000

Do you know Pinba? It’s a great tool and you really should use it on your LAMP platform.

Pinba is a realtime monitoring/statistics server for PHP using MySQL as a read-only interface.

It accumulates and processes data sent over UDP by multiple PHP processes and displays statistics in a nice human-readable form of simple “reports“, also providing read-only interface to the raw data in order to make possible generation of more sophisticated reports and stats.

With Pinba extension users also can measure particular parts of the code using timers with arbitrary tags.

Pinba is not a debugging tool in a common sense, since you’re not supposed to do debugging on production servers, but its main goal is to help developers to monitor performance of PHP scripts, locate bottlenecks in realtime and direct developers’ attention to the code that really needs it.

Here is a sample graph :

I’m proud to announce that Pinba is now available on Dotdeb for Debian 6.0 “Squeeze”. Once you read the Pinba features and usage, you’ll want to install those two packages :

pinba-mysql-engine : a custom MySQL engine to store all the gathered data efficiently. It has to be installed with the latest mysql-server packages.
php5-pinba : the PHP extension you’ll use to accumulate data and timers directly from your PHP scripts.

I hope you enjoy it.

PHP 5.3.5, now for Squeeze

Guillaume Plessis — Tue, 11 Jan 2011 14:41:47 +0000

I just released PHP 5.3.5 packages for Debian 6.0 (a.k.a “Squeeze”), with some changes against the Lenny’s ones :

the packaging process has been improved : dependencies were cleaned up, PHP tests are now displayed, libtool 2.2 is now supported (thanks to the Debian team for their precious work)
3 new useful extensions have been packaged : gearman, phpredis and xhprof (without its interface files)

With these new packages, Dotdeb’s support for Squeeze is still experimental, but almost complete. Some more packages could be added in a near future :

MySQL (or Percona) Server 5.5 will replace MySQL Server 5.1. More info here and here.
a Nginx backport

The installation instructions did not change : just add Dotdeb’s GnuPG key to your keyring, pick a mirror near you and add squeeze-related lines to your sources.list. For example :

deb http://packages.dotdeb.org squeeze all
deb-src http://packages.dotdeb.org squeeze all

And, of course, feel free to donate if you find Dotdeb useful.

You really should upgrade to PHP 5.3.5 or 5.2.17

Guillaume Plessis — Fri, 07 Jan 2011 10:53:42 +0000

A few days after releasing PHP 5.3.4 and PHP 5.2.16, the PHP group announced an important security update with PHP 5.3.5 and PHP 5.2.17 :

This release resolves a critical issue, reported as PHP bug #53632 and CVE-2010-4645, where conversions from string to double might cause the PHP interpreter to hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. You can test whether your system is affected by running this script from the command line.

All users of PHP are strongly advised to update to these versions immediately.

The Dotdeb packages for Debian “Lenny” 5.0 are now available. You really should upgrade.

PHP 5.3.4 is available

Guillaume Plessis — Mon, 03 Jan 2011 21:10:19 +0000

After PHP 5.3.4 has been released by the PHP Group and after the corresponding Suhosin patch has been published by Stefan Esser, the PHP 5.3.4 packages for Debian “Lenny” 5.0 are now available on Dotdeb. Thanks for your patience.

Follow these instructions if you’re installing them for the first time. And as usual, please read the full announcement and the Changelog before upgrading.

Happy new year!

PHP 5.2 last update : 5.2.16

Guillaume Plessis — Mon, 03 Jan 2011 19:14:22 +0000

PHP 5.2.16 has been released by the PHP Group a few days after PHP 5.2.15 (fixing an open_basedir issue). It is now available on Dotdeb for your Debian “Lenny” servers.

This maintainance release marks the end of support for PHP 5.2. You are strongly encouraged to upgrade to PHP 5.3 (read this migration guide).

Please read PHP 5.2.15 and 5.2.16 release announcements and the full Changelog before upgrading.